Actionable information crucial part of IT security

IT security departments need to learn to pay attention to actionable information in order to prevent digital disasters.

The term "actionable information" is not often used by IT-security professionals. That's changing. Companies now realize paying attention to actionable information can prevent digital disasters. Target learned that firsthand when company employees responsible for IT security did not heed warnings that in hindsight required immediate action. "As they (attackers) uploaded exfiltration malware to move stolen credit card numbers — first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia — FireEye spotted them," mentions this Bloomberg Business article. "Bangalore got an alert and flagged the security team in Minneapolis. And then... nothing happened."

Guidelines would be helpful

Members of the European Union Agency for Network and Information Security (ENISA), seeing the need for increased awareness regarding actionable information and IT security, published the report Actionable Information for Security Incident Response . "In the world of incident response, information is everything," begins the report. "The sooner incidents and vulnerabilities are detected and understood, the faster they can be handled and the less damage is caused. Accurate and timely information may help incident handlers reduce the number of infections, or address vulnerabilities before they are exploited."

The report's authors mention that businesses already process actionable information: data about markets, trends, and business-affecting news — just not information about IT security. The report offers examples of what could be considered actionable information regarding IT security:

Identified network-traffic anomalies

Malware flagged by Antimalware programs

IP addresses of known command and control servers which can be null-routed in constituency networks

Meeting the five criteria

The paper does not expend much effort on the exact content of IT-security related actionable information. The authors are more concerned that the actionable information meet certain quality requirements, including:

Relevancy: Care must be taken to make sure actionable information has significance to the recipient. It does no good to give a software developer news that the email server has been compromised.

Timeliness: This requirement is now obvious. However, timeliness needs to be quantified. Some actionable information needs dissemination immediately, whereas other information may benefit from a "wait and see" attitude. Reason being, immediacy can affect the next two criteria: completeness and accuracy.

Completeness: Is the actionable information unabridged? Information provided by a source and thought to be complete, may not be. "Many producers limit information in fear of revealing too much about their investigative methods," mentions the ENISA report. "Legal constraints may be another reason for withholding certain pieces of information."

This "Catch-22" situation complicates how much accuracy can be given to the actionable information.

Accuracy: IT-security information designated actionable must be addressed quickly, so any delay caused by having to vet accuracy is unacceptable. According to the paper, "Accuracy is the result of a combination of the confidence asserted by the source, the trust placed in the source and the local context of the receiver."

Ingestibility: Actionable information must be in a form that allows direct import into an organization's data-management system, allowing fast dissemination of indicators and direct access to procedures meant to deal with the security issue at hand.

Processing the information

The report then offers the following "information pipeline" to exemplify one way actionable information could be processed.

Image: ENISA

"Steps in the pipeline — collection, preparation, storage, analysis, and distribution — correspond to the natural flow of information in many relevant contexts," explains the report. "Such as existing processes in CERTs or workflows utilized by systems that are used to manage security data."

The concept model is generic, stresses the paper. Each organization, being unique, must develop an actionable-information handling system that workers and management feel comfortable with — finding process problems while tangling with a security threat is not a good situation.

"To our knowledge, this best-practice guide is the first study of its kind," concludes the ENISA report. The report's authors also mention current information exchanges are far from mature, and it is their hope the report will give companies incentive to improve upon that.